Dropbox 17 – Dropbox Server (Hardening)

We’ve been hardening as we go, so there really wasn’t much to do here in the first iteration when I was using Kali 2016.1. By default RPCBIND was bound to all interfaces on port 111 so I ran the following commands to disable it.

systemctl stop rpcbind.service
systemctl disable rpcbind.service

Now there’s even less to do as it looks like in the 2016.2 release RPCBIND is disabled by default. A review of active servers shows only the connections listening on localhost that we’ve enabled, even without running the above.

According to the following article it should be possible to change the address binding (http://linuxplayer.org/2012/02/why-squid-listen-on-high-udp-port-number). I may consider testing the effect of this modification on proxied web application tests sometime in the future, but for now I have left the default configuration in tact.

We could go a step further and block ICMP or filter incoming traffic to the Dropbox Server, but we don’t want to make things overly difficult for ourselves either. This is a penetration testing device after all and at some point we’ll want it to perform ARP spoofing, accept reverse shells, etc…

OK, now to setup our Dropbox Client and start controlling the Dropbox Server remotely, or as I like to call it “How to perform an internal penetration test from <INSERT FAVORITE COFFEE SHOP/PUB HERE>”.